North Korean cyber espionage group Lazarus has been detected using假冒 video conferencing software to target job seekers, according to a warning issued by cybersecurity firm Group-IB. The group’s tactics have expanded to multiple job platforms and now target both Windows and macOS users, employing sophisticated malware to deceive unsuspecting individuals.
Background of Lazarus Attacks
Lazarus, known for its advanced persistent threat (APT) campaigns, has been identified as the perpetrator behind several high-profile cyber attacks. Over the past few years, the group has increasingly focused on targeting job seekers, particularly those in the software development field. One notable campaign, known as Contagious Interview or Dev#Popper, has garnered significant attention from researchers.
The Latest Campaign
In the latest campaign, Group-IB discovered a malicious program disguised as the legitimate video conferencing software FreeConference. The malware, identified as BeaverTail, is distributed to job seekers under the guise of a job interview process. The campaign was first detected in mid-August, with researchers confirming that it is part of Lazarus’s toolkit.
Modus Operandi
The hackers begin by searching for potential targets on various job platforms, including LinkedIn, WWR, Moonlight, and Upwork. Once contact is established, they attempt to switch the conversation to Telegram, a messaging platform that offers greater privacy. They then request that the job seeker download a specific video conferencing application or a Node.js project as part of the interview process.
Upon execution, BeaverTail installs a Python-based backdoor called InvisibleFerret on the victim’s computer. This backdoor allows the hackers to steal sensitive information, such as login credentials, and deploy additional malware.
Evolution of Tactics
Lazarus’s tactics have evolved over time. Initially, the group focused on targeting repositories related to cryptocurrency to attract professionals seeking jobs. Recently, they have expanded their scope to include repositories related to gaming, using similar tactics to deceive job seekers into downloading malicious software.
The group has also changed its approach by using fake video conferencing software as a lure. This shift is significant as it takes advantage of the increased reliance on remote interviews and online collaboration tools, particularly in the wake of the COVID-19 pandemic.
Technical Analysis
The malicious websites used to distribute the fake FreeConference application and another fake software called MiroTalk share the same SSL certificate, issued on August 2. Researchers have observed three Windows installers (FCCCall.msi) of BeaverTail between late July and mid-August. These installers were built using the cross-platform development framework Qt6, with a macOS version soon following.
When the fake video conferencing software is launched, it prompts the user to enter a meeting invitation code. Simultaneously, the malware operates in the background, extracting login credentials from browsers and their extensions. If successful, it downloads a Python executable and the InvisibleFerret payload for the next stage of the attack.
Advanced Capabilities
Lazarus has also developed a more powerful Python version of BeaverTail that, in addition to data theft, can deploy AnyDesk for remote access. The group has also created plugins to extend the malware’s functionality, with researchers noting the presence of new, yet-to-be-used functions, indicating active development.
Implications and Precautions
The targeting of job seekers by Lazarus highlights the need for increased vigilance among individuals and organizations. Job seekers should be cautious of unsolicited job offers and requests to download software from unverified sources. Organizations should implement robust cybersecurity measures to protect their employees and systems from such sophisticated threats.
As the cyber landscape continues to evolve, it is essential for both individuals and organizations to stay informed and proactive in their cybersecurity efforts. The activities of groups like Lazarus serve as a stark reminder of the persistent and evolving nature of cyber threats.
Views: 0